Microsoft Windows SMB Zero-Day Vulnerability

A new zero-day exploit exists in the wild for Windows SMB. Security researcher Gaffie discovered this vulnerability three months ago. Since Microsoft failed to patch it in the past three months, he released it. This vulnerability is specifically a null pointer dereference error in SMB (server message block) which allows a remote, unauthenticated attacker to cause a denial of service condition on a vulnerable system. This vulnerability, however, cannot be used for code execution.

The vulnerability exists because of the manner in which Microsoft Windows handle SMB traffic. Microsoft Windows fails to handle a crafted SMB tree connect response from a malicious server. When an SMB tree connect request is processed successfully by the server, the server responds with SMB tree connect response packet. The total length of an SMB2 TREE_CONNECT response packet is 16 bytes in addition to the fixed SMB2 header. Thus the client always expects the SMB2 TREE_CONNECT response length to be not more than 16 bytes. The packet structure of a proper SMB2 TREE_CONNECT response packet is given below. More details can be found here.

Source: https://msdn.microsoft.com/en-us/library/cc246499.aspx

If a Windows client connects to a malicious SMB server and the server responds with a crafted response having more than 16 bytes, then Windows client systems crash i.e. Blue Screen of Death (BSOD) appears and system reboots itself. Thus, if the total message size in Tree Connect response is very large, windows is not able to handle it and trigger the buffer overflow. The crash has been confirmed with fully-patched Windows 10, Windows 8.1, Windows Server 2016 and Windows Server 2012 R2 systems.

Exploit code for this vulnerability is available. GitHub has already released the PoC code for exploiting this vulnerability on Windows 10. It is available for anyone to use. The exploit implements an SMBv3 server, and the clients supporting SMBv3 connecting to it will be affected. An attacker would have to trick the victim into connecting to this malicious server.

To understand what actually triggers the crash, we will set up the malicious SMB server provided here and will try to connect to it from a fully patched Windows 10 machine, while capturing the packets. Upon running the script, the malicious server listens as expected on port 445 as shown below,

Once we try to connect to the malicious server from a fully patched Windows 10, it crashes resulting in BSOD.

Upon analyzing the packet details we can see the malicious server does not send only 16 bytes SMB2 TREE_CONNECT response but sends some additional extra bytes (C’s here) which trigger the buffer overflow in mrxsmb20.sys, resulting in BSOD and system reboot. Below are details captured by Wireshark.

There is no official patch from Microsoft as of now. All Windows users are left open to potential attacks. An obvious temporary workaround to this security issue is blocking outbound SMB connections i.e TCP ports 139 and 445 and UDP ports 137 and 138.